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Abstract. Conventional Non-Linear Feedback Shift Registers (NLFSRs) use the 
Fibonacci configuration in which the value of the first bit is updated accord- 
ing to some non-linear feedback function of previous values of other bits, and 
each remaining bit repeats the value of its previous bit. We show how to trans- 
form the feedback function of a Fibonacci NLFSR into several smaller feedback 
functions of individual bits. Such a transformation reduces the propagation time, 
thus increasing the speed of pseudo-random sequence generation. The practical 
significance of the presented technique is that is makes possible increasing the 
keystream generation speed of any Fibonacci NLFSR-based stream cipher with 
no penalty in area. 
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1 Introduction 

Non-Linear Feedback Shift Registers (NLFSRs) have been proposed as an alternative 
to Linear Feedback Shift Registers (LFSRs) for generating pseudo-random sequences 
for stream ciphers. NLFSR-based stream ciphers include Achterbahn UJ, Dragon ||2l. 
Grain fS), Trivium |4|, VEST [5], and [jS]. NLFSRs have been shown to be more resis- 
tant to cryptanalytic attacks than LFSRs H7I8I . However, construction of large NLFSRs 
with guaranteed long periods remains an open problem. A systematic algorithm for 
NLFSR synthesis has not been discovered so far Only some special cases have been 
considered II9I10I11I12I13I14I15I16I17I . 

In general, there are two ways to implement an NLFSR: in the Fibonacci configu- 
ration, or in the Galois configuration. The Fibonacci configuration, shown in Figure [T] 
is conceptually more simple. The Fibonacci type of NLFSRs consists of a number of 
bits numbered from left to right as« — 1,« — 2,...,0 with feedback from each bit to the 
n — 1th bit. At each clocking instance, the value of the bit ; is moved to the bit ; — 1 . The 
value of the bit becomes the output of the register. The new value of the bit « — 1 is 
computed as some non-linear function of the previous values of other bits. 

In the Galois type of NLFSR, shown in Figure |2] each bit / is updated according to 
its own feedback function. Thus, in contrast to the Fibonacci NLFSRs in which feed- 
back is applied to the « — 1th bit only, in the Galois NLFSRs feedback is potentially 
applied to every bit. Since the next state functions of individual bits of a Galois NLFSR 
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Fig. 1. An Fibonacci type of NLFSR. 



are computed in parallel, the propagation time is reduced to that of smaller functions 
of individual bits. This makes Galois NLFSRs particularly attractive for stream ciphers 
application in which high keystream generation speed is important. 
However, Galois NLFSRs also have the following two drawbacks; 

1 . An «-bit Galois NLFSR with the period of 2" — 1 does not necessarily satisfy the 
1st and the 2nd postulates of Golomb fTSl . An n-bit Fibonacci NLFSR with the 
period of 2" — 1 always satisfy both postulates ||9|. 

2. The period of the output sequence of a Galois NLFSR is not necessarily equal to the 
length of the longest cyclic sequence of its consecutive states ifTsl . The period of a 
Fibonacci NLFSR always equals to the longest cyclic sequence of its consecutive 
states m. 

These drawbacks do not create any problems in the linear case because, for LF- 
SRs, there exist a one-to-one mapping between the Fibonacci and Galois configura- 
tions. A Galois LFSR generating the same output sequence as a given Fibonacci LFSR 
(and therefore possessing none of the above mentioned drawbacks) can be obtained by 
reversing the order of the feedback taps and adjusting the initial state. For example. 
Figure [3] shows the Fibonacci and Galois configurations for the generator polynomial 
+X+1. If the Fibonacci LFSR is initialized to the state 001 and the Galois one is 
initialized to the state 101, then they generate the same periodic sequence 1001011. 

In the non-linear case, however, no mapping between the Fibonacci and the Galois 
configurations has been known until now. The problem of finding such a mapping is 
addressed in this paper. We show that, for each Fibonacci NLFSR, there exist a class of 
equivalent Galois NLFSRs which produce the same output sequence. We show how to 
transform a given Fibonacci NLFSR into an equivalent Galois NLFSR. 

The most significant contribution of the paper is a sufficient condition for equiva- 
lence of two NLFSRs before and after the transformation. It is formulated and proved 
for the general case which covers not only the equivalence between a Fibonacci and a 
Galois NLFSRs, but only the equivalence between two Galois NLFSRs. 

The paper is organized as follows. Section|2]describes main notions and definitions 
used in the sequel. Section [5] formulates a sufficient condition for existence of a non- 
linear recurrence describing the output sequence of an NLFSR. Section |4] presents a 
sufficient condition for the equivalence of two NLFSRs. In Section|5] we define a Galois 
NLFSR which is unique for a given Fibonacci NLFSR and show how to compute it. 
Section|6]concludes the paper and discusses open problems. 
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Fig. 2. A Galois type of NLFSR. 



2 Preliminaries 

In this section, we describe basic definitions and notation used in the sequel. 

The algebraic normal form (ANF) of a Boolean function / : {0, 1}" ^ {0, 1} is a 
polynomial in GF{2) of type 

2"-l 

f{xQ, . . . ,;c„_i) = ^ Cj ■ Xq -x^ ■ . . . 'X^_^, 

1=0 

where c, £ {0, 1} and (/q/i . . . i„-i) is the binary expansion of i with being the least 
significant bit. 

The dependence set (or support set) of a Boolean function / is defined by 

dep{f) = {i I /|.v,=o ^ /|a,=i}, 

where /!.,,=;■ =/(xo,...,x,_i,;,x,+i,...,jc„_i) for; G {0,1}. 

Let <Xmm{f) (ci-maxif)) be the smallest (largest) index of variables in dep{f). 

Let /, : {0, 1 }" — > {0, 1 } be a feedback function of the bit /, / G {0, 1 , . . . , « - 1 }, of 
an NLFSR. All results in this paper as derived for NLFSRs whose feedback functions 
are singular functions of type 

fi=Xi+i®gi(xo,...,x„^i), (1) 

where : {0, l}""' -> {0, 1}, ; + l <^dep{gi), and the sign "+" is modulo n. Singularity 
guarantees that the state transition graph of an NLFSR is "branchless", i.e. that each 
state belongs to one of the state cycles 

Let i, (f) denote the value of the bit / at time t. The sequence of states an «-bit 
NLFSR with the singular feedback functions can be described by a system of « non- 
linear equations of type; 

' i«-l(0 = ^0(f - i)®gn-l{si{t - l),S2{t - 1), . . . ,i„_l(f - 1)) 
^ S„-2(0 ='^n-l(f- 1) ®^n-2('^0(f- l),---,in-2(f- 1)) (2) 



So{t) ^Si{t- l)e)go{so{t - l),S2{t - 1), . . .,S„^i{t - 1)). 



Fig. 3. The Fibonacci LFSR (left) and the Galois LFSR (right) for the generator poly- 
nomial;c^ +x+ 1. 



3 A Condition for Existence of a Non- Linear Recurrence 

In this section, we formulate a condition for existence of a non-linear recurrence de- 
scribing the output sequence of an NLFSR. First, we introduce some definitions which 
are necessary for the presentation of main results. 

Definition 1. Two NLFSRs are equivalent if there are initial states, possibly different 
for each NLFSR, from which they generate the same output sequences. 

Definition 2. The feedback graph of an NLFSR has n vertices vq,... , Vn-i representing 
the bits 0, . . . ,« — 1. There is an edge from v,- to vj ifi S dep{fj), i,j G {0, 1, — 1}. 

Definition 3. The terminal bit of an n-bit NLFSR is the bit with the largest index i which 
satisfies the following condition: For all bits j such that i > j > 0, the feedback function 
fjisoftypefj^Xj+i, ij £ {0, 1, . . . ,n - 1}. 

Definition 4. The operation substitution, denoted by sub{vi,Vj), is defined for any ver- 
tex Vi which has a unique predecessor vj. The substitution sub{vi,Vj) removes Vifrom 
the feedback graph and, for each successor Vk ofvi, replaces the edge (v,-, v^) by an edge 
{vj,Vk), i,j,k e {0,...,«- 1}. 

Definition 5. Given a feedback graph G, the reduced feedback graph of G is a graph 
obtained by subsequently applying the substitution to all vertices of G with the input 
degree L 

Since substitution merges a vertex with its unique predecessor, the order of applying 
the substitution does not influence the resulting reduced feedback graph, i.e. it is unique 
for a given G. 

Lemma 1. If the feedback graph of an n-bit NLFSR can be reduced to a single vertex 
Vi, i £ {0, 1 ,...,« — 1 }, then there exist a non-linear recurrence describing the sequence 
of values of the bit i of type 

^<(0= E'(«rri^'Hf-« + ^)), (3) 

where aj G {0, 1}, {Jojl ■ ■ ■ jn-i) is the binary expansion of j with y„-i being the least 
significant bit, and s-"' {t — n-\-k) is defined as follows 
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Fig. 4. Reduction steps for the feedback graph of the Fibonacci NLFSR from the exam- 
ple: (a) initial graph; (b) after sub{vo,vi); (c) after sub{\'i,V2)', (d) after sub{v2,vj). 



Proof: Let v, be a vertex of the feedback graph which has a unique predecessor vj and m 
successors Vi, , . . . , v^,„, j,kp G {0, 1, . . . ,n — 1}, p G {0, 1, . . . ,m}. By Df.|2] this implies 
that s,(f ) = Sj{t — 1) and, for each p, si;^^{t) depends on i,(f — 1). 

The substitution sub{vi,Vj) is equivalent to replacing the variable i,(r — 1) in the 
equation of each iAp(0 by Sj{t — 2). This reduces the number of variables in the equa- 
tions (|2]i by one and reduces the number of equations by one. 

If the feedback graph of an NLFSR can be reduced to a single vertex, say iv, then the 
substitution can be applied n — 1 times. So, the number of variables in the equations (|2]l 
can be reduced to a single variable and the number of equations can be reduced to a sin- 
gle equation. This equation corresponds to the non-linear recurrence relation describing 
the sequence of states of the bit r of the NLFSR. 

□ 

Example 1: As an example, consider a 4-bit Fibonacci NLFSR with the feedback func- 
tion /3 = XQ®x\ (Bx2®x\xj,. Its sequence of states can be described by the following 
equations: 
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This NLFSR generates the following output sequence with the period 15: 

111011000101001... 

The feedback graph of this NLFSR is shown in Figure lU a). It can be reduced to a 
single vertex as follows: 

1. sub{vo,vi) reduces the graph to Figure|4tb). This is equivalent to substituting so{t) 
by ii (f — 1) into the equation of 53(f): 



S3{t) = Si{t-2)®Si{t - l)®S2{t - 1) ©ii(r - l>3(f - 1). 



2. sub{vi, V2) reduces the graph to FigurelUc). This is equivalent to substituting s\ (f ) 
by 52(f — 1) into the equation of 53(f): 

53(0 =S2{t- 3)®S2{t~2)®S2{t - l)®S2{t~2)si{t - 1). 

3. sub{v2,VT,) reduces the graph to FigureHfd). This is equivalent to substituting S2{t) 
by i3(f — 1) into the equation of Si{t): 

S3(f) = i3(f -4) ©i3(f - 3) ©i3(f - 2) ©i3(f - 3>3(f - 1). 

This gives us a non-linear recurrence describing the sequence of values of the bit 3. 
Since other bits repeat the content of the 3rd bit, the recurrence is identical for all bits, 
and thus for the output of the NLFSR. 

It is easy to see that the feedback graph of a Fibonacci NLFSR can always be re- 
duced to a single vertex v„_i. Therefore, for a Fibonacci NLFSR, a non-linear recur- 
rence of type (O always exists. Its coefficients a,-, ; G {0, 1 , . . . , 2" — 1 }, are equal to the 
coefficients c, of the ANF of the feedback function /„_i . 

For Galois NLFSRs, a non-linear recurrence of type ^ may or may not exist. If it 
exists, it may be different for different bits. 

Example 2: As another example, consider a Galois NLFSR with the following feedback 
functions: 

f\ =X2, 

fo =Xi ©X2©X3. 

Its feedback graph can be reduced to the vertex V3, giving us the following recurrence: 

53(0 ='^3(f-4)©53(f-3)©53(f-2)©i3(f-3>3(f- !)• 

This recurrence is the same as the one of the Fibonacci NLFSR from the Example 1 . 
Bits 2 and 1 repeat the same recurrence as the bit 3, however, the value of the bit is 
the XOR of the bits 1, 2 and 3. Thus, its sequence of values differs from the one of the 
3rd bit. Therefore, the output sequence of this Galois NLFSR, is different the output 
sequence of the Fibonacci NLFSR from the Example 1 . 

4 A Transformation from the Fibonacci to the Galois NLFSRs 

In this section, we show how to transform a Fibonacci NLFSR into an equivalent Galois 
NLFSR. 

Let Pf denote the set of all product-terms of the ANF of a function / : {0, 1}" ^ 
{0, 1}. Given an ANF product-term p G Pf, the notation p^k means that the index of 
each variable x,- of p is changed to x,_j^, where "— " is modulo n. 

For example, if n = 4, and p = X0X1X3 then 



=X3XoX2, P-2 =X2X3Xi, /7_3 =XiX2Xo. 



Definition 6. The operation shifting, denoted by /„ fb, p ^ Pfa> ci^b G {0, 1 , . . . , n — 
1 }, ^ < a, removes the product-term p from the ANF of the function /„ and adds the 
product-term p^(a-b) the ANF of the function fh . 

As we can see form the definition, shifting subtracts (a — b) from the index of each 
variable in the shifted product-term (modulo «). For example, if initially 

/3 =Xo®XiX3 
fl = X3 

then, after we get 

f-i=xo 

f2=X-i®X0X2. 

Definition 7. An n-bit NLFSR is uniform if: 

(a) all its feedback functions are of type (|7}, and 

(b) for all its bits i such that n — I > i > X, the following condition holds: 

a„u,x{gi) < (4) 

where T is the terminal bit of the NLFSR, 1 G {0, 1 ,...,« — 1 }. 

Note that any Fibonacci NLFSR is uniform. 

Lemma 2. If an NLFSR is uniform, then its feedback graph can be reduced to a single 
vertex. 

Proof: Suppose that an NLFSR is uniform. We show that then we can alway reduce 
the feedback graph of to the vertex Vx corresponding to the terminal bit T of A^. 

By Df. [3] for / G {0, 1, . . . ,T — 1}, each vertex v,- of the feedback graph has input 
degree \. So, for each / G {0, 1, . . . ,T — 1}, we can apply the substitution sup{vi,Vi+\) 
to remove v, from the feedback graph, and, for each successor of v,, to replace the 
the edge (v,, vj.) by an edge (vx, v^t). Therefore, by applying a sequence of substitutions 
sup{v{),v\), sup{vi,V2), . . . , sMp(vx_i, Vx) we can remove vo, vi , . . . , Vx-i from the feed- 
back graph and change the origin of all outgoing edges of vq, vi , . . . , Vx-i to Vx. 

Since the condition (|4|i holds and the origin of all outgoing edges of vo,vi , . . . , Vx-i 
is changed to Vx, each of the vertices v,- for / G {x + 1 , T + 2, . . . , n — 1 } has no more than 
two incoming edges: one from v,+i and one from Vx. This implies that each of them has 
the output degree 1 . 

Clearly, v„_i has only one incoming edge, from Vx. By applying the substitution 
SMp(v„_i, I'x), we can remove v„_i and replace the edge (v„_i, v„_2) by the edge (vx, v„_2) 
This make the input degree of v„_2 one. Continuing similarly with the sequence of 
substitutions .s'm/:)(v„_2, Vx), . . . , iM/7(vx+i, v't) we remove v„_2, ■ ■ ■ ,v'x+i and reduce the 
graph to one vertex, Vx. 



□ 



The above condition is sufficient, but not necessary. For example, the NLFSR from 
the Example 2 is not uniform, but it can be reduced to a single vertex. 

The following theorem is the main result of the paper It presents a sufficient con- 
dition for equivalence of two NLFSRs. Note, that it is formulated for shiftings on sub- 
functions gi of the singular feedback functions /, (see the expression [TJ, because the 
variable should not be shifted in order to preserve the register structure. 

Theorem 1. Given a uniform NLFSR, a shifting ga-^ gb> a,b E {0, 1 , . . . , n — 1 }, < a, 
P C P^^, preserves the equivalence if the transformed NLFSR is uniform as well. 

Proof: See Appendix. 

The condition of the Theorem [T] is sufficient, but not necessary. For example, the 
following NLFSR can be obtained from the NLFSR from the Example 1 by applying 
the shifting ^ /o, /s ^ /i and /s ^ /i : 

/O =X\ ®Xf)X2. 

This NLFSR is not uniform, however, it is equivalent to the NLFSR from the Example 
L 

Next, we formulate a condition which should be satisfied in order to obtain a uni- 
form NLFSR after shifting. 

Theorem 2. Given a uniform NLFSR N, an NLFSR obtained from N by a shifting ga ^ 
gb, a,b e {0, 1, . . . ,n — 1}, < a, P C P^^, is uniform only if 

b>a-a„,i„{p). (5) 

Proof: If b < a — am,„ (/?), then a„„„ (p) < a — b. Therefore, after the shifting ga ^ gb, 
Oimin (p) becomes a„„„ (p) +n — (a — b) ^ a„„„ (p) + b + (n — a). By Df. ^ b < a, thus 
a is always greater than 0. So, for any a G {1,2, ... ,n — 1}, after shifting the feedback 
function gb contains a product-term whose index is greater than bhy n — a. Since the 
terminal bit of the NLFSR is smaller or equal to b, the condition (|4]i of Df.|7]is violated. 

□ 

Often an equivalent Galois NLFSR can be obtained from a Fibonacci NLFSR by 
shifting product-terms one-by-one. Sometimes, however, more than one product-term 
has to be shifted in order to preserve the equivalence. For example, if the feedback 
function g„^\ has more than one product-term containing the variable jc„_i, then all 
such product-terms have to be shifted. The Lemma below describes two cases in which 
the product-terms can be shifted one-by-one. 

Lemma 3. Given a uniform NLFSR with the terminal bit x and a sifting ga gb, o,b G 
{0,1, . . . ,n — 1}, b < a, P C Pg^, the following holds: 



(a) Ifb>i, then ga^ gb preserves the equivalence for any p e Pg^ which satisfies the 
condition Q. 

(b) Ifb<Z and <Xmax{gi) < b for all i G {n — l,n ~2, . . . ,b}, then ga gb preserves 
the equivalence for any p G Pg^ which satisfies the condition Q. 

Proof: Case (a): By Df.|6] after the shifting a,„,„ (p) becomes a„„„ (p) — (a — b). Since 
the condition ^ is satisfied, OL,„in{p) > a — b, i.e. after shifting the indexes of variables 
of p are reduced by some value between 1 and a„„„(/7). Therefore, after the shifting, 
none of the product-terms of p violates the condition (HJi. Since the initial NLFSR is 
uniform and the terminal bit is not changed, the transformed NLFSR is uniform as 
well, and therefore, by TheoremlT] the equivalence is preserved. 
Case (b): Similarly to the case (a) we can show that, after the shifting, none of the 
product-terms of p violates the condition (|4]i. Since <Xi„ax{gi) < b for all / by assumption, 
the transformed NLFSR is uniform and therefore, by Theorem [T] the equivalence is 
preserved. 

□ 

The above Lemma implies that, for any Fibonacci NLFSR, shifting can always re- 
duce the index of the initial terminal bit « — 1 at least by L It reduces the index of 
the terminal bit exactly by 1 if g„^\ of the Fibonacci NLFSR contains a product with 
0.„uix{gi) = « — 1 and a„im{gn-\) = 1- The smaller the difference between <3.,„ax{gn-\) 
and OC,„,„(g„-i), the more the index of the initial terminal bit can be reduced. 

5 Fully Shifted Galois NLFSRs 

Usually, there are multiple ways to transform a Fibonacci NLFSR into a Galois NLFSR. 
Next, we define a "fully shifted" Galois NLFSR which is unique for a given Fibonacci 
NLFSR and show how to compute it. 

Definition 8. An NLFSR is fully shifted if no product-term of any function gi can be 
shifted to a function gj with the index j < i without violating the condition 0, j G 
{0,1,...,«-1}. 

In the linear case, a fully shifted NLFSR reduces to a Galois LFSR, i.e. it is a 
generalization of the Galois LFSR. Note that this is not the case for NLFSRs which are 
not fully shifted. 

Algorithm 1: Given a uniform «-bit Fibonacci NLFSR A^, the fully shifted Galois 
NLFSR N which is equivalent to is obtained as follows. 
First, the terminal bit T of .^V is computed as: 

T= max (a„uix{p) -a,mnip)), 

^P^P,.,-. (6) 
with|p| > 1 



where \p\ denotes the number of variables in the product-term p. 



Then, each product-term p g P^,,, with a„„„ (p) < (n — 1) —lis shifted to g„_j_o,^___.^(p): 

p 

gn-l ^ gn-l-a„,i„(p)- 

and each product-term p G Pg„_, with a„„„(/9) > («—!)— lis shifted to 

p 

gn-\ >gz- 

Theorem 3. Algorithm 1 correctly computes the fully shifted Galois NLFSRfor a given 
Fibonacci NLFSR. 

Proof: For each product p such that a„,i„{p) < (n — 1) — x, the indexes are reduces by 
Ct-minip)- So, after the shifting, the smallest index becomes and the largest becomes 

Cmaxip) - ^mm{p)- By equation a,nax{p) - aminip) < 1- 

For each product p such that a,nin {p) > (« — 1 ) — the indexes are reduces by 
(n — 1) — T. Since a„„„(/9) < Umaxip) < n — 1, the largest index after the shifting is 

< C(.max{p) — ((« — 1) — 'c) < Since (« — 1) — T < a.mi„{p) < <x,nax{p), the smallest 
index after the shifting is < a„„„(p) — ((« — 1) — x) < T. 

So, the transformed NLFSR N is uniform and therefore, by Theorem[Tl two NLFSRs 
are equivalent. It remains to prove that N is fully shifted. 

By Df|6] index of each variable of p is reduced by a„„„(/7) after the shifting. There- 
fore, for each product-term p G Pg„_i such that a„„„(/7) < T, p after the shifting con- 
tains a variable xq. If p is shifted further from g„_i_a„„„(p) to g„-i-a„„„(p)-/ for some 

1 </<«—!— Oi,nm{p), the index of xo increases to n — i. For every value of / in the 
range 1 < i < n — 1 — Ummip), n — i> n — \ — OLmm{p), so the condition (HJi is violated 
and the resulting NLFSR is not equivalent to the initial Fibonacci NLFSR. 

Each product-term p G Pg„_i such that <X,nm{p) > T is shifted to the terminal bit x. 
If p is shifted to some / < T, then, according to the equation (|6]l, there is a product-term 
p* which has <X,„ax{p*) > ' after shifting. Thus, the condition © is violated and the 
resulting NLFSR is not equivalent to the initial Fibonacci NLFSR. 

□ 

Example 4: As an example, consider the following 32-bit Fibonacci NLFSR which is 
used in the NLFSR-based stream cipher from JS): 

/31 = xo®X2®xe®XT®xi2®xn®X2o'S)X27®X3oQ)X3X<)(B xi2Xis®X4X5Xi^ 

Its corresponding fully shifted Galois NLFSR has the terminal bit x = 12 and the 
following feedback functions: 
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The functions which are omitted are of type fi = fi+\. This NLFSR has 7 feedback 
variables: xo,xi,X3,ji:6,jc8,jcii and xi2, while the Fibonacci NLFSR has 15 feedback 
variables. 

We can further reduce the depth of circuits implementing feedback functions and 
the number of feedback variables as follows: 
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This NLFSR has 5 feedback variables: xo,xi ,X4,X6 and xu- 

6 Conclusion 

In this paper, we show how to transform a Fibonacci NLFSR into the Galois configura- 
tion. 

The most important open problem is finding an algorithm for constructing NLFSRs 
with a guaranteed long period. This problem is hard because there seems to be no simple 
algebraic theory supporting it. Specifically, primitive generator polynomials for LFSR 
have no analog in the nonlinear case. 
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7 Appendix: Proof of the Theorem [1] 

Suppose that the transformed NLFSR is uniform. Then, by Lemma|2l its feedback graph 
can be reduced to the vertex Vf, corresponding to the terminal bit b of the transformed 
NLFSR after the shifting ga gt,. So, by Lemma[T] there exists a non-linear recurrence 
describing the sequence of values of the bit b. It remains to prove that this recuiTence is 
the same as the one of the initial NLFSR. 

It is sufficient to consider the case when the shifting ga gy moves a product-term 
of type XkXa for some k < a. For product-terms with more variables or the product-term 
without Xa the proof is similar. 

If the shifted product is x^Xa, then the function ga can be represented as ga — ga® 
XkXa, where = ga^xj^Xa. So, the NLFSR before the shifting can be represented by 
the following system of equations: 

' Sn-l{t)=So{t-\)®gn-l{sQ{t-l),Sl{t-\),...,Sb{t-\)) 

Sa{t)=Sa+\{t-l)®g*a{sQ{t~l),Si{t~l),...,Sb{t~l))®Sk{t-l)Sa{t-l) 
Sa-\{t) ^Sa{t- 1) 

,io(f) = ^i(f-l) 

Since ; + 1 ^ dep{gi) for ; € {0, 1, ...,« — 1}, each gi does not depends of s,+i {t — 1). 
However, we keep this redundant term in the equations in order to be able to later 
introduce the same abbreviations for all gi. 



Note, that each of gn-i,gn-2, ■■■,8*1 depends on variables with indexes smaller or 
equal than b only since, by assumption, the condition (|4|l holds after the shifting. 

A substitution sub{\'i,Vj+i) is equivalent to replacing the variable Si{t — 1) in the 
equation of each successor of v,- by — 2). After the sequence of a substitutions 

sup{v(),vi), . . . ,sup{va-i,\'a), each Si{t — 1) gets replaced by Sa{t — 1 — (a — /)), so the 
above equations reduce to: 



Sn-l{t) = Sa{t ~a-l)® g„-l{Sa{t - a - l),Sa{t ~ a), . . . ,Sa{t - 1 - {a ~ b))) 



To shorten the expressions, let us introduce an abbreviation Sa '■— {sa{t -~ a — I) ,Sa{t ~ 
a),... ,Sa{t — 1 — (fl — b))) and let the notation Sa{i) mean that each element Sa{x) of 
is replaced by Sa{x + i). For example, 1) = {sa{t — a — 2) ,Sa{t — a — 1) , . . . ,Sa{t — 
2 — (a — b))). Then, the above equations can be re-written us: 



{i„_l(f) ^ Sa{t - a - I) ® gn-l{Sa) 
Sa{t)= Sa+\{t -\)®g*a{Sa)®Sa{t-l~a + i)Sa{t-\) 

After a sequence of « — a — 1 substitutions iMZ7(v„_i, v„_2), • • • :Sub{va+\,Va), we get 
a non-linear recurrence describing the sequence of values of the bit a: 

Sc,{t) = Sa{t -n)®g„^\{sa(-n + a + \))®gn^2{sa{-n + a)) 

® . . .®g*a{Sa) + Sa{t - I - a + i)Sa{t - 1 ) 

After expanding the abbreviation the above recurrence becomes: 



Sa{t) = Sa{t-n) 

® gn-\{sa{t -n),Sa(t -n + l),...,Sa{t -n + b)) 
® gn-2{sa{t -n- l),Sa(t -n),...,Sa{t -n + b- 1)) 

® g*aisa{t -a-l),Sa{t -a),...,Sa{t - I - a + b)) 
©s„(f-l-fl + />„(f-l) 



On the other hand, the NLFSR after the shifting can be represented by the following 
system of equations: 



' Sn-l{t) = So{t - 1) ®g„-l{sQ{t - l),ii(r - 1), . . .,Sb{t - 1)) 

Sait) = Sa+l{t ~ 1) ®ga{so{t - " 1), • • • - 1)) 

, in-l(0 =Sa{t-l) 

Sbit)= Sb+lit - 1) ©i,-_(„_i,(f - l)if,(f - 1) 

^So{t) =Sl{t-l) 




® 



i„+ 1 (f - 1 ) © i„(f - 1 - fl + k)s„{t - 1 ) 
g*Xsa{t - a - l),Sa{t - a), . . . ,Sa{t - I - 




After the sequence of b substitutions sup{vo,vi), . . . ,sup{vi,-i,Vb) we get: 
' s„^l{t) = Sb{t - b - I) ® g„^i{sh{t - b ~ l),si{t ^ b), . . . ,Sb{t I)) 

< Sait) = Sa+lit ^ I) ® g*{st{t - b - l),Si{t - b), . . . ,Sh{t ~ I)) 

i«-l(f) = ^«(f-l) 

^ Sb{t) ^ st+i{t - I) ® Sb{t - 1 + / - a)sb{t - 1 ) 

Introducing an abbreviation Sb '■= {sb{t — b— l),si,{t — fe), . . . — 1)) we can re- 
write the above equations us: 

' S„-l{t)=Sb{t-b~l)®g„-l{sb) 
Sc,{t)=Sa+\{t-l)®gl{sb) 

^Sb{t)=Sh+i{t-l)®Shit-l+i- a)sb[t - 1 ) 

After the sequence of n — — 1 substitutions ,s'm/7(v„_i, v„_2), • • • :Sub{\'b+\,Vb), we 
get a non-Hnear recurrence describing the sequence of values of the bit b: 

Sb{t) ^ Sb{t -n)®gn-i{sb{-n + b+\))®g„-2{sb{-n + b)) 
© • • • ® glih {~{a^b))®Sh{t-l+i-a)sb{t-l) 

After expanding the abbreviation Sb, the above recurrence becomes: 

Sb{t) = Sb{t-n) 

® gn-\{sb{t-n),Sb{t-n + \),...,Sb{t-n + b)) 
® gn-2{sb{t -n- \),Sb{t -n),...,Sb{t -n + b- 1)) 

© gl{sb{t-a- l),5/,(f -fl), . . .,Sb{t -\-a + b)) 
® Sb{t - I - a + i)sb{t - I) 

The non-linear recurrences (|7]i and (O are the same, so two NLFSRs are equivalent. 

□ 



